[Samba] gidNumber's and ldap backed samba PDC

Adam Tauno Williams awilliam at whitemice.org
Tue Mar 24 20:04:25 GMT 2009

On Tue, 2009-03-24 at 19:31 +0100, LiPi - wrote:
> Despite that RID!=GID, mappings between samba rids and groups must be
> there if you want the server to act as a PDC. If there are some GID's
> mapped to i.e. RID 512, and these GID is used by another group, then
> there will be a conflict.

No, because that is just not how the mapping works.

$ ldapsearch -LLL sambaSID=S-1-5-21-2037442776-3290224752-88127236-512
dn: cn=cifsadmins,ou=Groups,ou=SAM,o=Morrison Industries,c=US
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: cifsadmins
gidNumber: 1999
sambaSID: S-1-5-21-2037442776-3290224752-88127236-512
sambaGroupType: 2
description: Local Unix group
displayName: Domain Admins
memberUid: steve
memberUid: cleslie
memberUid: adam
memberUid: rhopkins
memberUid: bonjour

You map domain groups to POSIX groups using the "net groupmap" command,
the RID:GID relationship is completely arbitrary.  They might be the
same, might not, it just doesn't matter.

I have no idea what "GID's mapped to i.e. RID 512, and these GID is used
by another group" even means.  How is a GID "used by another group"?
The GID is the unique identifier of a POSIX group.  If you have multiple
groups with the same GID - that is just messed up.  With "net groupmap"
you establish the relationships of SIDs to GIDs;  the RID just the part
of the SID relative to the domain portion on the SID.

> I had this problem one week ago, when I was trying to give permissions
> to a folder. So, choose N GID's to map with samba RID's or change the
> group GID of these conflicting groups. Be also areful with UID.

More information about the samba mailing list